Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. FIX: ISA Server 2006 may be overloaded with authorization attempts after you apply hotfix 955113

FIX: ISA Server 2006 may be overloaded with authorization attempts after you apply hotfix 955113

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You use Microsoft Internet Security and Acceleration (ISA) Server 2006 and enable VPN Client access.
  • The ISA Server 2006 computer is a member server of an Active Directory forest that has a one-way trust to another forest in which the VPN user accounts exist.
  • You have configured all rules that allow traffic from the VPN clients to other networks without any authentication.
  • You have applied hotfix 955113 to enable the traffic from those VPN clients.
In this scenario, the traffic from the VPN clients is forwarded correctly. However, ISA Server may be overloaded with authorization attempts.

↑ Back to the top

Cause

Before ISA Server checks the policy rules to determine whether traffic is allowed, it tries to create an authorization context for the client. When the client is from another forest that has a one-way trust, ISA Server cannot create that context. Therefore, ISA Server repeatedly tries to create the context for every new session. Depending on the number of sessions from the VPN clients, these attempts may overload ISA Server and cause packets to be dropped.

↑ Back to the top

Resolution

To resolve this problem, follow these steps:
  1. Apply the hotfix that is mentioned in the following Microsoft Knowledge Base article:
    956925 Description of the ISA Server 2006 hotfix package: August 20, 2008
  2. Start Notepad, and then copy the following script into a Notepad file.
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "EnableAuthZNULLContextCaching"
Const SE_VPS_VALUE = true

Sub SetValue()

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
    End If

    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then

        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

SetValue
  3. Save the file as a Microsoft Visual Basic script file by using the .vbs file name extension. For example, save the file by using the following name:
    EnableAuthZNULLContextCaching.vbs
  4. Copy the .vbs file to the computer that is running ISA Server 2006, and then double-click the file.
After you apply these steps, ISA Server 2006 caches the negative responses from the AuthZ API and only tries to create the security context one time for each user.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: KB956922, kbfix, kbexpertiseinter, kbqfe

↑ Back to the top

Article Info
Article ID : 956922
Revision : 1
Created on : 11/11/2008
Published on : 11/11/2008
Exists online : False
Views : 290